Announcement

Collapse
No announcement yet.

Static Nat Issue on ASA 5505 since Migration to Asa 8.3

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Static Nat Issue on ASA 5505 since Migration to Asa 8.3

    Hi everyone,

    since the migration of my Cisco ASA 5505 from ASA 8.2 to ASA 8.3 I can't use anymore my public IP adress in my DMZ.

    In ASA 8.2 I just use that command :

    static (inside-public,outside) 100.100.213.171 100.100.213.171 netmask 255.255.255.255

    and I was able to access internet from my server 100.100.213.171

    In ASA 8.3 the command is now :

    object network obj-100.100.213.171
    host 100.100.213.171
    nat (inside-public,outside) static 100.100.213.171


    but doing this I can't access internet from this server.
    but If I do :

    object network obj-100.100.213.171
    host 100.100.213.171
    nat (inside-public,outside) static 100.100.213.172

    it works (but my server got 100.100.213.172 for the outside)

    So actually I changed all my DMZ ip range to 192.168.11.0 and make translation to the correct ip address and it works.

    object network obj-192.168.11.171
    host 192.168.11.171
    nat (inside-public,outside) static 100.100.213.171


    So my question is : why doesn't it work anymore ?
    and am I wrong to put real ip public address in my DMZ ?

    Also one note (but I don't know if we care) : the Cisco outside IP address is not the same range that my other Public IP, it's : 100.100.214.166/30
    And my 8 public IP Range : 100.100.213.168/29
    Last edited by psychoboust; 16th March 2011, 21:49.

  • #2
    Re: Static Nat Issue on ASA 5505 since Migration to Asa 8.3

    As you have discovered, there were some significant changes in the 8.3 release. Why Cisco did not rename the 8.3 release to 9.x has me scratching my head. The memory upgrade requirements were also quite frustrating.

    I can't answer your question, but I will admit I went through the same learning curve in translating existing NAT rules when I upgraded to 8.3.

    If you haven't done so already, I would read (or re-read) the following chapters from the link below. I know I had to read the object-nat and twice-nat chapters multiple times to fully comprehend.

    http://www.cisco.com/en/US/docs/secu..._overview.html

    I can offer a couple of pointers that helped me translate existing NAT rules when I upgraded....

    1) Fully understand the section labled NAT RULE ORDER
    2) Similar to ACL line number insertion and selection, you can insert NAT rules before other NAT rules.

    Good luck!

    Comment

    Working...
    X